refactor(server): auth guard (#1472)

* refactor: auth guard * chore: move auth guard to middleware * chore: tests * chore: remove unused code * fix: migration to uuid without dataloss * chore: e2e tests * chore: removed unused guards
2025-11-14 17:36:12 +00:00 · 2023-01-31 13:11:49 -05:00 · 2023-01-31 13:11:49 -05:00 · d2a9363fc5
commit d2a9363fc5
parent 68af4cd5ba
40 changed files with 331 additions and 505 deletions
--- a/server/libs/domain/src/api-key/api-key.core.ts
+++ b/server/libs/domain/src/api-key/api-key.core.ts
@ -0,0 +1,27 @@
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { AuthUserDto } from '../auth';
+import { ICryptoRepository } from '../crypto';
+import { IKeyRepository } from './api-key.repository';
+
+@Injectable()
+export class APIKeyCore {
+  constructor(private crypto: ICryptoRepository, private repository: IKeyRepository) {}
+
+  async validate(token: string): Promise<AuthUserDto | null> {
+    const hashedToken = this.crypto.hashSha256(token);
+    const keyEntity = await this.repository.getKey(hashedToken);
+    if (keyEntity?.user) {
+      const user = keyEntity.user;
+
+      return {
+        id: user.id,
+        email: user.email,
+        isAdmin: user.isAdmin,
+        isPublicUser: false,
+        isAllowUpload: true,
+      };
+    }
+
+    throw new UnauthorizedException('Invalid API key');
+  }
+}
--- a/server/libs/domain/src/api-key/api-key.service.spec.ts
+++ b/server/libs/domain/src/api-key/api-key.service.spec.ts
@ -1,20 +1,9 @@
-import { APIKeyEntity } from '@app/infra/db/entities';
 import { BadRequestException } from '@nestjs/common';
-import { authStub, userEntityStub, newCryptoRepositoryMock, newKeyRepositoryMock } from '../../test';
-import { ICryptoRepository } from '../auth';
+import { authStub, keyStub, newCryptoRepositoryMock, newKeyRepositoryMock } from '../../test';
+import { ICryptoRepository } from '../crypto';
 import { IKeyRepository } from './api-key.repository';
 import { APIKeyService } from './api-key.service';

-const adminKey = Object.freeze({
-  id: 1,
-  name: 'My Key',
-  key: 'my-api-key (hashed)',
-  userId: authStub.admin.id,
-  user: userEntityStub.admin,
-} as APIKeyEntity);
-
-const token = Buffer.from('my-api-key', 'utf8').toString('base64');
-
 describe(APIKeyService.name, () => {
  let sut: APIKeyService;
  let keyMock: jest.Mocked<IKeyRepository>;
@ -28,10 +17,8 @@ describe(APIKeyService.name, () => {

  describe('create', () => {
    it('should create a new key', async () => {
-      keyMock.create.mockResolvedValue(adminKey);
-
+      keyMock.create.mockResolvedValue(keyStub.admin);
      await sut.create(authStub.admin, { name: 'Test Key' });
-
      expect(keyMock.create).toHaveBeenCalledWith({
        key: 'cmFuZG9tLWJ5dGVz (hashed)',
        name: 'Test Key',
@ -42,7 +29,7 @@ describe(APIKeyService.name, () => {
    });

    it('should not require a name', async () => {
-      keyMock.create.mockResolvedValue(adminKey);
+      keyMock.create.mockResolvedValue(keyStub.admin);

      await sut.create(authStub.admin, {});

@ -66,7 +53,7 @@ describe(APIKeyService.name, () => {
    });

    it('should update a key', async () => {
-      keyMock.getById.mockResolvedValue(adminKey);
+      keyMock.getById.mockResolvedValue(keyStub.admin);

      await sut.update(authStub.admin, 1, { name: 'New Name' });

@ -84,7 +71,7 @@ describe(APIKeyService.name, () => {
    });

    it('should delete a key', async () => {
-      keyMock.getById.mockResolvedValue(adminKey);
+      keyMock.getById.mockResolvedValue(keyStub.admin);

      await sut.delete(authStub.admin, 1);

@ -102,7 +89,7 @@ describe(APIKeyService.name, () => {
    });

    it('should get a key by id', async () => {
-      keyMock.getById.mockResolvedValue(adminKey);
+      keyMock.getById.mockResolvedValue(keyStub.admin);

      await sut.getById(authStub.admin, 1);

@ -112,29 +99,11 @@ describe(APIKeyService.name, () => {

  describe('getAll', () => {
    it('should return all the keys for a user', async () => {
-      keyMock.getByUserId.mockResolvedValue([adminKey]);
+      keyMock.getByUserId.mockResolvedValue([keyStub.admin]);

      await expect(sut.getAll(authStub.admin)).resolves.toHaveLength(1);

      expect(keyMock.getByUserId).toHaveBeenCalledWith(authStub.admin.id);
    });
  });
-
-  describe('validate', () => {
-    it('should throw an error for an invalid id', async () => {
-      keyMock.getKey.mockResolvedValue(null);
-
-      await expect(sut.validate(token)).resolves.toBeNull();
-
-      expect(keyMock.getKey).toHaveBeenCalledWith('bXktYXBpLWtleQ== (hashed)');
-    });
-
-    it('should validate the token', async () => {
-      keyMock.getKey.mockResolvedValue(adminKey);
-
-      await expect(sut.validate(token)).resolves.toEqual(authStub.admin);
-
-      expect(keyMock.getKey).toHaveBeenCalledWith('bXktYXBpLWtleQ== (hashed)');
-    });
-  });
 });
--- a/server/libs/domain/src/api-key/api-key.service.ts
+++ b/server/libs/domain/src/api-key/api-key.service.ts
@ -1,5 +1,6 @@
 import { BadRequestException, Inject, Injectable } from '@nestjs/common';
-import { AuthUserDto, ICryptoRepository } from '../auth';
+import { AuthUserDto } from '../auth';
+import { ICryptoRepository } from '../crypto';
 import { IKeyRepository } from './api-key.repository';
 import { APIKeyCreateDto } from './dto/api-key-create.dto';
 import { APIKeyCreateResponseDto } from './response-dto/api-key-create-response.dto';
@ -55,22 +56,4 @@ export class APIKeyService {
    const keys = await this.repository.getByUserId(authUser.id);
    return keys.map(mapKey);
  }
-
-  async validate(token: string): Promise<AuthUserDto | null> {
-    const hashedToken = this.crypto.hashSha256(token);
-    const keyEntity = await this.repository.getKey(hashedToken);
-    if (keyEntity?.user) {
-      const user = keyEntity.user;
-
-      return {
-        id: user.id,
-        email: user.email,
-        isAdmin: user.isAdmin,
-        isPublicUser: false,
-        isAllowUpload: true,
-      };
-    }
-
-    return null;
-  }
 }
--- a/server/libs/domain/src/auth/auth.core.ts
+++ b/server/libs/domain/src/auth/auth.core.ts
@ -1,12 +1,10 @@
 import { SystemConfig, UserEntity } from '@app/infra/db/entities';
-import { IncomingHttpHeaders } from 'http';
 import { ISystemConfigRepository } from '../system-config';
 import { SystemConfigCore } from '../system-config/system-config.core';
 import { AuthType, IMMICH_ACCESS_COOKIE, IMMICH_AUTH_TYPE_COOKIE } from './auth.constant';
-import { ICryptoRepository } from './crypto.repository';
+import { ICryptoRepository } from '../crypto/crypto.repository';
 import { LoginResponseDto, mapLoginResponse } from './response-dto';
-import { IUserTokenRepository, UserTokenCore } from '@app/domain';
-import cookieParser from 'cookie';
+import { IUserTokenRepository, UserTokenCore } from '../user-token';

 export type JwtValidationResult = {
  status: boolean;
@ -59,21 +57,4 @@ export class AuthCore {
    }
    return this.cryptoRepository.compareBcrypt(inputPassword, user.password);
  }
-
-  extractTokenFromHeader(headers: IncomingHttpHeaders) {
-    if (!headers.authorization) {
-      return this.extractTokenFromCookie(cookieParser.parse(headers.cookie || ''));
-    }
-
-    const [type, accessToken] = headers.authorization.split(' ');
-    if (type.toLowerCase() !== 'bearer') {
-      return null;
-    }
-
-    return accessToken;
-  }
-
-  extractTokenFromCookie(cookies: Record<string, string>) {
-    return cookies?.[IMMICH_ACCESS_COOKIE] || null;
-  }
 }
--- a/server/libs/domain/src/auth/auth.service.spec.ts
+++ b/server/libs/domain/src/auth/auth.service.spec.ts
@ -1,25 +1,34 @@
 import { SystemConfig, UserEntity } from '@app/infra/db/entities';
 import { BadRequestException, UnauthorizedException } from '@nestjs/common';
+import { IncomingHttpHeaders } from 'http';
 import { generators, Issuer } from 'openid-client';
 import { Socket } from 'socket.io';
 import {
-  userEntityStub,
+  authStub,
+  keyStub,
  loginResponseStub,
  newCryptoRepositoryMock,
+  newKeyRepositoryMock,
+  newSharedLinkRepositoryMock,
  newSystemConfigRepositoryMock,
  newUserRepositoryMock,
+  newUserTokenRepositoryMock,
+  sharedLinkStub,
  systemConfigStub,
+  userEntityStub,
  userTokenEntityStub,
 } from '../../test';
+import { IKeyRepository } from '../api-key';
+import { ICryptoRepository } from '../crypto/crypto.repository';
+import { ISharedLinkRepository } from '../share';
 import { ISystemConfigRepository } from '../system-config';
 import { IUserRepository } from '../user';
-import { AuthType, IMMICH_ACCESS_COOKIE, IMMICH_AUTH_TYPE_COOKIE } from './auth.constant';
+import { IUserTokenRepository } from '../user-token';
+import { AuthType } from './auth.constant';
 import { AuthService } from './auth.service';
-import { ICryptoRepository } from './crypto.repository';
 import { SignUpDto } from './dto';
-import { IUserTokenRepository } from '@app/domain';
-import { newUserTokenRepositoryMock } from '../../test/user-token.repository.mock';
-import { IncomingHttpHeaders } from 'http';
+
+// const token = Buffer.from('my-api-key', 'utf8').toString('base64');

 const email = 'test@immich.com';
 const sub = 'my-auth-user-sub';
@ -51,6 +60,8 @@ describe('AuthService', () => {
  let userMock: jest.Mocked<IUserRepository>;
  let configMock: jest.Mocked<ISystemConfigRepository>;
  let userTokenMock: jest.Mocked<IUserTokenRepository>;
+  let shareMock: jest.Mocked<ISharedLinkRepository>;
+  let keyMock: jest.Mocked<IKeyRepository>;
  let callbackMock: jest.Mock;
  let create: (config: SystemConfig) => AuthService;

@ -81,8 +92,10 @@ describe('AuthService', () => {
    userMock = newUserRepositoryMock();
    configMock = newSystemConfigRepositoryMock();
    userTokenMock = newUserTokenRepositoryMock();
+    shareMock = newSharedLinkRepositoryMock();
+    keyMock = newKeyRepositoryMock();

-    create = (config) => new AuthService(cryptoMock, configMock, userMock, userTokenMock, config);
+    create = (config) => new AuthService(cryptoMock, configMock, userMock, userTokenMock, shareMock, keyMock, config);

    sut = create(systemConfigStub.enabled);
  });
@ -218,63 +231,73 @@ describe('AuthService', () => {
  });

  describe('validate - socket connections', () => {
+    it('should throw token is not provided', async () => {
+      await expect(sut.validate({}, {})).rejects.toBeInstanceOf(UnauthorizedException);
+    });
+
    it('should validate using authorization header', async () => {
      userMock.get.mockResolvedValue(userEntityStub.user1);
      userTokenMock.get.mockResolvedValue(userTokenEntityStub.userToken);
      const client = { request: { headers: { authorization: 'Bearer auth_token' } } };
-      await expect(sut.validate((client as Socket).request.headers)).resolves.toEqual(userEntityStub.user1);
+      await expect(sut.validate((client as Socket).request.headers, {})).resolves.toEqual(userEntityStub.user1);
    });
  });

-  describe('validate - api request', () => {
-    it('should throw if no user is found', async () => {
+  describe('validate - shared key', () => {
+    it('should not accept a non-existent key', async () => {
+      shareMock.getByKey.mockResolvedValue(null);
+      const headers: IncomingHttpHeaders = { 'x-immich-share-key': 'key' };
+      await expect(sut.validate(headers, {})).rejects.toBeInstanceOf(UnauthorizedException);
+    });
+
+    it('should not accept an expired key', async () => {
+      shareMock.getByKey.mockResolvedValue(sharedLinkStub.expired);
+      const headers: IncomingHttpHeaders = { 'x-immich-share-key': 'key' };
+      await expect(sut.validate(headers, {})).rejects.toBeInstanceOf(UnauthorizedException);
+    });
+
+    it('should not accept a key without a user', async () => {
+      shareMock.getByKey.mockResolvedValue(sharedLinkStub.expired);
      userMock.get.mockResolvedValue(null);
-      await expect(sut.validate({ email: 'a', userId: 'test' })).resolves.toBeNull();
+      const headers: IncomingHttpHeaders = { 'x-immich-share-key': 'key' };
+      await expect(sut.validate(headers, {})).rejects.toBeInstanceOf(UnauthorizedException);
+    });
+
+    it('should accept a valid key', async () => {
+      shareMock.getByKey.mockResolvedValue(sharedLinkStub.valid);
+      userMock.get.mockResolvedValue(userEntityStub.admin);
+      const headers: IncomingHttpHeaders = { 'x-immich-share-key': 'key' };
+      await expect(sut.validate(headers, {})).resolves.toEqual(authStub.adminSharedLink);
+    });
+  });
+
+  describe('validate - user token', () => {
+    it('should throw if no token is found', async () => {
+      userTokenMock.get.mockResolvedValue(null);
+      const headers: IncomingHttpHeaders = { 'x-immich-user-token': 'auth_token' };
+      await expect(sut.validate(headers, {})).rejects.toBeInstanceOf(UnauthorizedException);
    });

    it('should return an auth dto', async () => {
-      userMock.get.mockResolvedValue(userEntityStub.user1);
      userTokenMock.get.mockResolvedValue(userTokenEntityStub.userToken);
-      await expect(
-        sut.validate({ cookie: 'immich_access_token=auth_token', email: 'a', userId: 'test' }),
-      ).resolves.toEqual(userEntityStub.user1);
+      const headers: IncomingHttpHeaders = { cookie: 'immich_access_token=auth_token' };
+      await expect(sut.validate(headers, {})).resolves.toEqual(userEntityStub.user1);
    });
  });

-  describe('extractTokenFromHeader - Cookie', () => {
-    it('should extract the access token', () => {
-      const cookie: IncomingHttpHeaders = {
-        cookie: `${IMMICH_ACCESS_COOKIE}=signed-jwt;${IMMICH_AUTH_TYPE_COOKIE}=password`,
-      };
-      expect(sut.extractTokenFromHeader(cookie)).toEqual('signed-jwt');
+  describe('validate - api key', () => {
+    it('should throw an error if no api key is found', async () => {
+      keyMock.getKey.mockResolvedValue(null);
+      const headers: IncomingHttpHeaders = { 'x-api-key': 'auth_token' };
+      await expect(sut.validate(headers, {})).rejects.toBeInstanceOf(UnauthorizedException);
+      expect(keyMock.getKey).toHaveBeenCalledWith('auth_token (hashed)');
    });

-    it('should work with no cookies', () => {
-      const cookie: IncomingHttpHeaders = {
-        cookie: undefined,
-      };
-      expect(sut.extractTokenFromHeader(cookie)).toBeNull();
-    });
-
-    it('should work on empty cookies', () => {
-      const cookie: IncomingHttpHeaders = {
-        cookie: '',
-      };
-      expect(sut.extractTokenFromHeader(cookie)).toBeNull();
-    });
-  });
-
-  describe('extractTokenFromHeader - Bearer Auth', () => {
-    it('should extract the access token', () => {
-      expect(sut.extractTokenFromHeader({ authorization: `Bearer signed-jwt` })).toEqual('signed-jwt');
-    });
-
-    it('should work without the auth header', () => {
-      expect(sut.extractTokenFromHeader({})).toBeNull();
-    });
-
-    it('should ignore basic auth', () => {
-      expect(sut.extractTokenFromHeader({ authorization: `Basic stuff` })).toBeNull();
+    it('should return an auth dto', async () => {
+      keyMock.getKey.mockResolvedValue(keyStub.admin);
+      const headers: IncomingHttpHeaders = { 'x-api-key': 'auth_token' };
+      await expect(sut.validate(headers, {})).resolves.toEqual(authStub.admin);
+      expect(keyMock.getKey).toHaveBeenCalledWith('auth_token (hashed)');
    });
  });
 });
--- a/server/libs/domain/src/auth/auth.service.ts
+++ b/server/libs/domain/src/auth/auth.service.ts
@ -11,12 +11,16 @@ import { IncomingHttpHeaders } from 'http';
 import { OAuthCore } from '../oauth/oauth.core';
 import { INITIAL_SYSTEM_CONFIG, ISystemConfigRepository } from '../system-config';
 import { IUserRepository, UserCore } from '../user';
-import { AuthType } from './auth.constant';
+import { AuthType, IMMICH_ACCESS_COOKIE } from './auth.constant';
 import { AuthCore } from './auth.core';
-import { ICryptoRepository } from './crypto.repository';
+import { ICryptoRepository } from '../crypto/crypto.repository';
 import { AuthUserDto, ChangePasswordDto, LoginCredentialDto, SignUpDto } from './dto';
 import { AdminSignupResponseDto, LoginResponseDto, LogoutResponseDto, mapAdminSignupResponse } from './response-dto';
-import { IUserTokenRepository, UserTokenCore } from '@app/domain/user-token';
+import { IUserTokenRepository, UserTokenCore } from '../user-token';
+import cookieParser from 'cookie';
+import { ISharedLinkRepository, ShareCore } from '../share';
+import { APIKeyCore } from '../api-key/api-key.core';
+import { IKeyRepository } from '../api-key';

@Injectable()
 export class AuthService {
@ -24,14 +28,18 @@ export class AuthService {
  private authCore: AuthCore;
  private oauthCore: OAuthCore;
  private userCore: UserCore;
+  private shareCore: ShareCore;
+  private keyCore: APIKeyCore;

  private logger = new Logger(AuthService.name);

  constructor(
-    @Inject(ICryptoRepository) private cryptoRepository: ICryptoRepository,
+    @Inject(ICryptoRepository) cryptoRepository: ICryptoRepository,
    @Inject(ISystemConfigRepository) configRepository: ISystemConfigRepository,
    @Inject(IUserRepository) userRepository: IUserRepository,
    @Inject(IUserTokenRepository) userTokenRepository: IUserTokenRepository,
+    @Inject(ISharedLinkRepository) shareRepository: ISharedLinkRepository,
+    @Inject(IKeyRepository) keyRepository: IKeyRepository,
    @Inject(INITIAL_SYSTEM_CONFIG)
    initialConfig: SystemConfig,
  ) {
@ -39,6 +47,8 @@ export class AuthService {
    this.authCore = new AuthCore(cryptoRepository, configRepository, userTokenRepository, initialConfig);
    this.oauthCore = new OAuthCore(configRepository, initialConfig);
    this.userCore = new UserCore(userRepository, cryptoRepository);
+    this.shareCore = new ShareCore(shareRepository, cryptoRepository);
+    this.keyCore = new APIKeyCore(cryptoRepository, keyRepository);
  }

  public async login(
@ -115,28 +125,40 @@ export class AuthService {
    }
  }

-  public async validate(headers: IncomingHttpHeaders): Promise<AuthUserDto | null> {
-    const tokenValue = this.extractTokenFromHeader(headers);
-    if (!tokenValue) {
-      return null;
+  public async validate(headers: IncomingHttpHeaders, params: Record<string, string>): Promise<AuthUserDto | null> {
+    const shareKey = (headers['x-immich-share-key'] || params.key) as string;
+    const userToken = (headers['x-immich-user-token'] ||
+      params.userToken ||
+      this.getBearerToken(headers) ||
+      this.getCookieToken(headers)) as string;
+    const apiKey = (headers['x-api-key'] || params.apiKey) as string;
+
+    if (shareKey) {
+      return this.shareCore.validate(shareKey);
    }

-    const hashedToken = this.cryptoRepository.hashSha256(tokenValue);
-    const user = await this.userTokenCore.getUserByToken(hashedToken);
-    if (user) {
-      return {
-        ...user,
-        isPublicUser: false,
-        isAllowUpload: true,
-        isAllowDownload: true,
-        isShowExif: true,
-      };
+    if (userToken) {
+      return this.userTokenCore.validate(userToken);
+    }
+
+    if (apiKey) {
+      return this.keyCore.validate(apiKey);
+    }
+
+    throw new UnauthorizedException('Authentication required');
+  }
+
+  private getBearerToken(headers: IncomingHttpHeaders): string | null {
+    const [type, token] = (headers.authorization || '').split(' ');
+    if (type.toLowerCase() === 'bearer') {
+      return token;
    }

    return null;
  }

-  extractTokenFromHeader(headers: IncomingHttpHeaders) {
-    return this.authCore.extractTokenFromHeader(headers);
+  private getCookieToken(headers: IncomingHttpHeaders): string | null {
+    const cookies = cookieParser.parse(headers.cookie || '');
+    return cookies[IMMICH_ACCESS_COOKIE] || null;
  }
 }
--- a/server/libs/domain/src/auth/index.ts
+++ b/server/libs/domain/src/auth/index.ts
@ -1,5 +1,4 @@
 export * from './auth.constant';
 export * from './auth.service';
-export * from './crypto.repository';
 export * from './dto';
 export * from './response-dto';
--- a/server/libs/domain/src/crypto/crypto.repository.ts
+++ b/server/libs/domain/src/crypto/crypto.repository.ts
--- a/server/libs/domain/src/crypto/index.ts
+++ b/server/libs/domain/src/crypto/index.ts
@ -0,0 +1 @@
+export * from './crypto.repository';
--- a/server/libs/domain/src/index.ts
+++ b/server/libs/domain/src/index.ts
@ -2,6 +2,7 @@ export * from './album';
 export * from './api-key';
 export * from './asset';
 export * from './auth';
+export * from './crypto';
 export * from './domain.module';
 export * from './job';
 export * from './oauth';
--- a/server/libs/domain/src/oauth/oauth.service.spec.ts
+++ b/server/libs/domain/src/oauth/oauth.service.spec.ts
@ -11,11 +11,11 @@ import {
  systemConfigStub,
  userTokenEntityStub,
 } from '../../test';
-import { ICryptoRepository } from '../auth';
+import { ICryptoRepository } from '../crypto';
 import { OAuthService } from '../oauth';
 import { ISystemConfigRepository } from '../system-config';
 import { IUserRepository } from '../user';
-import { IUserTokenRepository } from '@app/domain';
+import { IUserTokenRepository } from '../user-token';
 import { newUserTokenRepositoryMock } from '../../test/user-token.repository.mock';

 const email = 'user@immich.com';
--- a/server/libs/domain/src/oauth/oauth.service.ts
+++ b/server/libs/domain/src/oauth/oauth.service.ts
@ -1,13 +1,14 @@
 import { SystemConfig } from '@app/infra/db/entities';
 import { BadRequestException, Inject, Injectable, Logger } from '@nestjs/common';
-import { AuthType, AuthUserDto, ICryptoRepository, LoginResponseDto } from '../auth';
+import { AuthType, AuthUserDto, LoginResponseDto } from '../auth';
+import { ICryptoRepository } from '../crypto';
 import { AuthCore } from '../auth/auth.core';
 import { INITIAL_SYSTEM_CONFIG, ISystemConfigRepository } from '../system-config';
 import { IUserRepository, UserCore, UserResponseDto } from '../user';
 import { OAuthCallbackDto, OAuthConfigDto } from './dto';
 import { OAuthCore } from './oauth.core';
 import { OAuthConfigResponseDto } from './response-dto';
-import { IUserTokenRepository } from '@app/domain/user-token';
+import { IUserTokenRepository } from '../user-token';

@Injectable()
 export class OAuthService {
--- a/server/libs/domain/src/share/share.core.ts
+++ b/server/libs/domain/src/share/share.core.ts
@ -1,6 +1,13 @@
 import { AssetEntity, SharedLinkEntity } from '@app/infra/db/entities';
-import { BadRequestException, ForbiddenException, InternalServerErrorException, Logger } from '@nestjs/common';
-import { AuthUserDto, ICryptoRepository } from '../auth';
+import {
+  BadRequestException,
+  ForbiddenException,
+  InternalServerErrorException,
+  Logger,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { AuthUserDto } from '../auth';
+import { ICryptoRepository } from '../crypto';
 import { CreateSharedLinkDto } from './dto';
 import { ISharedLinkRepository } from './shared-link.repository';

@ -17,10 +24,6 @@ export class ShareCore {
    return this.repository.get(userId, id);
  }

-  getByKey(key: string): Promise<SharedLinkEntity | null> {
-    return this.repository.getByKey(key);
-  }
-
  create(userId: string, dto: CreateSharedLinkDto): Promise<SharedLinkEntity> {
    try {
      return this.repository.create({
@ -78,4 +81,26 @@ export class ShareCore {
      throw new ForbiddenException();
    }
  }
+
+  async validate(key: string): Promise<AuthUserDto | null> {
+    const link = await this.repository.getByKey(key);
+    if (link) {
+      if (!link.expiresAt || new Date(link.expiresAt) > new Date()) {
+        const user = link.user;
+        if (user) {
+          return {
+            id: user.id,
+            email: user.email,
+            isAdmin: user.isAdmin,
+            isPublicUser: true,
+            sharedLinkId: link.id,
+            isAllowUpload: link.allowUpload,
+            isAllowDownload: link.allowDownload,
+            isShowExif: link.showExif,
+          };
+        }
+      }
+    }
+    throw new UnauthorizedException('Invalid share key');
+  }
 }
--- a/server/libs/domain/src/share/share.service.spec.ts
+++ b/server/libs/domain/src/share/share.service.spec.ts
@ -1,15 +1,12 @@
 import { BadRequestException, ForbiddenException } from '@nestjs/common';
 import {
  authStub,
-  userEntityStub,
  newCryptoRepositoryMock,
  newSharedLinkRepositoryMock,
-  newUserRepositoryMock,
  sharedLinkResponseStub,
  sharedLinkStub,
 } from '../../test';
-import { ICryptoRepository } from '../auth';
-import { IUserRepository } from '../user';
+import { ICryptoRepository } from '../crypto';
 import { ShareService } from './share.service';
 import { ISharedLinkRepository } from './shared-link.repository';

@ -17,44 +14,18 @@ describe(ShareService.name, () => {
  let sut: ShareService;
  let cryptoMock: jest.Mocked<ICryptoRepository>;
  let shareMock: jest.Mocked<ISharedLinkRepository>;
-  let userMock: jest.Mocked<IUserRepository>;

  beforeEach(async () => {
    cryptoMock = newCryptoRepositoryMock();
    shareMock = newSharedLinkRepositoryMock();
-    userMock = newUserRepositoryMock();

-    sut = new ShareService(cryptoMock, shareMock, userMock);
+    sut = new ShareService(cryptoMock, shareMock);
  });

  it('should work', () => {
    expect(sut).toBeDefined();
  });

-  describe('validate', () => {
-    it('should not accept a non-existant key', async () => {
-      shareMock.getByKey.mockResolvedValue(null);
-      await expect(sut.validate('key')).resolves.toBeNull();
-    });
-
-    it('should not accept an expired key', async () => {
-      shareMock.getByKey.mockResolvedValue(sharedLinkStub.expired);
-      await expect(sut.validate('key')).resolves.toBeNull();
-    });
-
-    it('should not accept a key without a user', async () => {
-      shareMock.getByKey.mockResolvedValue(sharedLinkStub.expired);
-      userMock.get.mockResolvedValue(null);
-      await expect(sut.validate('key')).resolves.toBeNull();
-    });
-
-    it('should accept a valid key', async () => {
-      shareMock.getByKey.mockResolvedValue(sharedLinkStub.valid);
-      userMock.get.mockResolvedValue(userEntityStub.admin);
-      await expect(sut.validate('key')).resolves.toEqual(authStub.adminSharedLink);
-    });
-  });
-
  describe('getAll', () => {
    it('should return all keys for a user', async () => {
      shareMock.getAll.mockResolvedValue([sharedLinkStub.expired, sharedLinkStub.valid]);
@ -131,20 +102,6 @@ describe(ShareService.name, () => {
    });
  });

-  describe('getByKey', () => {
-    it('should not work on a missing key', async () => {
-      shareMock.getByKey.mockResolvedValue(null);
-      await expect(sut.getByKey('secret-key')).rejects.toBeInstanceOf(BadRequestException);
-      expect(shareMock.getByKey).toHaveBeenCalledWith('secret-key');
-    });
-
-    it('should find a key', async () => {
-      shareMock.getByKey.mockResolvedValue(sharedLinkStub.valid);
-      await expect(sut.getByKey('secret-key')).resolves.toEqual(sharedLinkResponseStub.valid);
-      expect(shareMock.getByKey).toHaveBeenCalledWith('secret-key');
-    });
-  });
-
  describe('edit', () => {
    it('should not work on a missing key', async () => {
      shareMock.get.mockResolvedValue(null);
--- a/server/libs/domain/src/share/share.service.ts
+++ b/server/libs/domain/src/share/share.service.ts
@ -1,6 +1,6 @@
 import { BadRequestException, ForbiddenException, Inject, Injectable, Logger } from '@nestjs/common';
-import { AuthUserDto, ICryptoRepository } from '../auth';
-import { IUserRepository, UserCore } from '../user';
+import { AuthUserDto } from '../auth';
+import { ICryptoRepository } from '../crypto';
 import { EditSharedLinkDto } from './dto';
 import { mapSharedLink, mapSharedLinkWithNoExif, SharedLinkResponseDto } from './response-dto';
 import { ShareCore } from './share.core';
@ -10,37 +10,12 @@ import { ISharedLinkRepository } from './shared-link.repository';
 export class ShareService {
  readonly logger = new Logger(ShareService.name);
  private shareCore: ShareCore;
-  private userCore: UserCore;

  constructor(
    @Inject(ICryptoRepository) cryptoRepository: ICryptoRepository,
    @Inject(ISharedLinkRepository) sharedLinkRepository: ISharedLinkRepository,
-    @Inject(IUserRepository) userRepository: IUserRepository,
  ) {
    this.shareCore = new ShareCore(sharedLinkRepository, cryptoRepository);
-    this.userCore = new UserCore(userRepository, cryptoRepository);
-  }
-
-  async validate(key: string): Promise<AuthUserDto | null> {
-    const link = await this.shareCore.getByKey(key);
-    if (link) {
-      if (!link.expiresAt || new Date(link.expiresAt) > new Date()) {
-        const user = await this.userCore.get(link.userId);
-        if (user) {
-          return {
-            id: user.id,
-            email: user.email,
-            isAdmin: user.isAdmin,
-            isPublicUser: true,
-            sharedLinkId: link.id,
-            isAllowUpload: link.allowUpload,
-            isAllowDownload: link.allowDownload,
-            isShowExif: link.showExif,
-          };
-        }
-      }
-    }
-    return null;
  }

  async getAll(authUser: AuthUserDto): Promise<SharedLinkResponseDto[]> {
@ -74,14 +49,6 @@ export class ShareService {
    }
  }

-  async getByKey(key: string): Promise<SharedLinkResponseDto> {
-    const link = await this.shareCore.getByKey(key);
-    if (!link) {
-      throw new BadRequestException('Shared link not found');
-    }
-    return mapSharedLink(link);
-  }
-
  async remove(authUser: AuthUserDto, id: string): Promise<void> {
    await this.shareCore.remove(authUser.id, id);
  }
--- a/server/libs/domain/src/share/shared-link.repository.ts
+++ b/server/libs/domain/src/share/shared-link.repository.ts
@ -6,7 +6,7 @@ export interface ISharedLinkRepository {
  getAll(userId: string): Promise<SharedLinkEntity[]>;
  get(userId: string, id: string): Promise<SharedLinkEntity | null>;
  getByKey(key: string): Promise<SharedLinkEntity | null>;
-  create(entity: Omit<SharedLinkEntity, 'id'>): Promise<SharedLinkEntity>;
+  create(entity: Omit<SharedLinkEntity, 'id' | 'user'>): Promise<SharedLinkEntity>;
  remove(entity: SharedLinkEntity): Promise<SharedLinkEntity>;
  save(entity: Partial<SharedLinkEntity>): Promise<SharedLinkEntity>;
  hasAssetAccess(id: string, assetId: string): Promise<boolean>;
--- a/server/libs/domain/src/user-token/user-token.core.ts
+++ b/server/libs/domain/src/user-token/user-token.core.ts
@ -1,12 +1,28 @@
 import { UserEntity } from '@app/infra/db/entities';
-import { Injectable } from '@nestjs/common';
-import { ICryptoRepository } from '../auth';
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { ICryptoRepository } from '../crypto';
 import { IUserTokenRepository } from './user-token.repository';

@Injectable()
 export class UserTokenCore {
  constructor(private crypto: ICryptoRepository, private repository: IUserTokenRepository) {}

+  async validate(tokenValue: string) {
+    const hashedToken = this.crypto.hashSha256(tokenValue);
+    const user = await this.getUserByToken(hashedToken);
+    if (user) {
+      return {
+        ...user,
+        isPublicUser: false,
+        isAllowUpload: true,
+        isAllowDownload: true,
+        isShowExif: true,
+      };
+    }
+
+    throw new UnauthorizedException('Invalid user token');
+  }
+
  public async getUserByToken(tokenValue: string): Promise<UserEntity | null> {
    const token = await this.repository.get(tokenValue);
    if (token?.user) {
--- a/server/libs/domain/src/user/user.core.ts
+++ b/server/libs/domain/src/user/user.core.ts
@ -10,7 +10,8 @@ import {
 import { hash } from 'bcrypt';
 import { constants, createReadStream, ReadStream } from 'fs';
 import fs from 'fs/promises';
-import { AuthUserDto, ICryptoRepository } from '../auth';
+import { AuthUserDto } from '../auth';
+import { ICryptoRepository } from '../crypto';
 import { CreateAdminDto, CreateUserDto, CreateUserOAuthDto } from './dto/create-user.dto';
 import { IUserRepository, UserListFilter } from './user.repository';

--- a/server/libs/domain/src/user/user.service.spec.ts
+++ b/server/libs/domain/src/user/user.service.spec.ts
@ -3,7 +3,8 @@ import { UserEntity } from '@app/infra/db/entities';
 import { BadRequestException, ForbiddenException, NotFoundException } from '@nestjs/common';
 import { when } from 'jest-when';
 import { newCryptoRepositoryMock, newUserRepositoryMock } from '../../test';
-import { AuthUserDto, ICryptoRepository } from '../auth';
+import { AuthUserDto } from '../auth';
+import { ICryptoRepository } from '../crypto';
 import { UpdateUserDto } from './dto/update-user.dto';
 import { UserService } from './user.service';

--- a/server/libs/domain/src/user/user.service.ts
+++ b/server/libs/domain/src/user/user.service.ts
@ -1,7 +1,8 @@
 import { BadRequestException, Inject, Injectable, NotFoundException } from '@nestjs/common';
 import { randomBytes } from 'crypto';
 import { ReadStream } from 'fs';
-import { AuthUserDto, ICryptoRepository } from '../auth';
+import { AuthUserDto } from '../auth';
+import { ICryptoRepository } from '../crypto';
 import { IUserRepository } from '../user';
 import { CreateUserDto } from './dto/create-user.dto';
 import { UpdateUserDto } from './dto/update-user.dto';
--- a/server/libs/domain/test/fixtures.ts
+++ b/server/libs/domain/test/fixtures.ts
@ -1,4 +1,5 @@
 import {
+  APIKeyEntity,
  AssetType,
  SharedLinkEntity,
  SharedLinkType,
@ -148,6 +149,16 @@ export const userTokenEntityStub = {
  }),
 };

+export const keyStub = {
+  admin: Object.freeze({
+    id: 1,
+    name: 'My Key',
+    key: 'my-api-key (hashed)',
+    userId: authStub.admin.id,
+    user: userEntityStub.admin,
+  } as APIKeyEntity),
+};
+
 export const systemConfigStub = {
  defaults: Object.freeze({
    ffmpeg: {
@ -275,6 +286,7 @@ export const sharedLinkStub = {
  valid: Object.freeze({
    id: '123',
    userId: authStub.admin.id,
+    user: userEntityStub.admin,
    key: Buffer.from('secret-key', 'utf8'),
    type: SharedLinkType.ALBUM,
    createdAt: today.toISOString(),
@ -288,6 +300,7 @@ export const sharedLinkStub = {
  expired: Object.freeze({
    id: '123',
    userId: authStub.admin.id,
+    user: userEntityStub.admin,
    key: Buffer.from('secret-key', 'utf8'),
    type: SharedLinkType.ALBUM,
    createdAt: today.toISOString(),
@ -300,6 +313,7 @@ export const sharedLinkStub = {
  readonly: Object.freeze<SharedLinkEntity>({
    id: '123',
    userId: authStub.admin.id,
+    user: userEntityStub.admin,
    key: Buffer.from('secret-key', 'utf8'),
    type: SharedLinkType.ALBUM,
    createdAt: today.toISOString(),
--- a/server/libs/domain/test/index.ts
+++ b/server/libs/domain/test/index.ts
@ -4,4 +4,5 @@ export * from './fixtures';
 export * from './job.repository.mock';
 export * from './shared-link.repository.mock';
 export * from './system-config.repository.mock';
+export * from './user-token.repository.mock';
 export * from './user.repository.mock';
--- a/server/libs/infra/src/db/entities/shared-link.entity.ts
+++ b/server/libs/infra/src/db/entities/shared-link.entity.ts
@ -1,6 +1,7 @@
 import { Column, Entity, Index, ManyToMany, ManyToOne, PrimaryGeneratedColumn, Unique } from 'typeorm';
 import { AlbumEntity } from './album.entity';
 import { AssetEntity } from './asset.entity';
+import { UserEntity } from './user.entity';

@Entity('shared_links')
@Unique('UQ_sharedlink_key', ['key'])
@ -14,6 +15,9 @@ export class SharedLinkEntity {
  @Column()
  userId!: string;

+  @ManyToOne(() => UserEntity)
+  user!: UserEntity;
+
  @Index('IDX_sharedlink_key')
  @Column({ type: 'bytea' })
  key!: Buffer; // use to access the inidividual asset
--- a/server/libs/infra/src/db/migrations/1674939383309-AddSharedLinkUserForeignKeyConstraint.ts
+++ b/server/libs/infra/src/db/migrations/1674939383309-AddSharedLinkUserForeignKeyConstraint.ts
@ -0,0 +1,18 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+
+export class AddSharedLinkUserForeignKeyConstraint1674939383309 implements MigrationInterface {
+  name = 'AddSharedLinkUserForeignKeyConstraint1674939383309';
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(`ALTER TABLE "shared_links" ALTER COLUMN "userId" TYPE varchar(36)`);
+    await queryRunner.query(`ALTER TABLE "shared_links" ALTER COLUMN "userId" TYPE uuid using "userId"::uuid`);
+    await queryRunner.query(
+      `ALTER TABLE "shared_links" ADD CONSTRAINT "FK_66fe3837414c5a9f1c33ca49340" FOREIGN KEY ("userId") REFERENCES "users"("id") ON DELETE NO ACTION ON UPDATE NO ACTION`,
+    );
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(`ALTER TABLE "shared_links" DROP CONSTRAINT "FK_66fe3837414c5a9f1c33ca49340"`);
+    await queryRunner.query(`ALTER TABLE "shared_links" ALTER COLUMN "userId" TYPE character varying`);
+  }
+}
--- a/server/libs/infra/src/db/repository/shared-link.repository.ts
+++ b/server/libs/infra/src/db/repository/shared-link.repository.ts
@ -73,6 +73,7 @@ export class SharedLinkRepository implements ISharedLinkRepository {
            assetInfo: true,
          },
        },
+        user: true,
      },
      order: {
        createdAt: 'DESC',